<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">


<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    
    <title>Clickjacking Protection &mdash; Django 1.7.8.dev20150401230226 documentation</title>
    
    <link rel="stylesheet" href="../_static/default.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    
    <script type="text/javascript">
      var DOCUMENTATION_OPTIONS = {
        URL_ROOT:    '../',
        VERSION:     '1.7.8.dev20150401230226',
        COLLAPSE_INDEX: false,
        FILE_SUFFIX: '.html',
        HAS_SOURCE:  true
      };
    </script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <link rel="top" title="Django 1.7.8.dev20150401230226 documentation" href="../index.html" />
    <link rel="up" title="API Reference" href="index.html" />
    <link rel="next" title="contrib packages" href="contrib/index.html" />
    <link rel="prev" title="Class-based generic views - flattened index" href="class-based-views/flattened-index.html" />



 
<script type="text/javascript" src="../templatebuiltins.js"></script>
<script type="text/javascript">
(function($) {
    if (!django_template_builtins) {
       // templatebuiltins.js missing, do nothing.
       return;
    }
    $(document).ready(function() {
        // Hyperlink Django template tags and filters
        var base = "templates/builtins.html";
        if (base == "#") {
            // Special case for builtins.html itself
            base = "";
        }
        // Tags are keywords, class '.k'
        $("div.highlight\\-html\\+django span.k").each(function(i, elem) {
             var tagname = $(elem).text();
             if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
                 var fragment = tagname.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
             }
        });
        // Filters are functions, class '.nf'
        $("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
             var filtername = $(elem).text();
             if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
                 var fragment = filtername.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
             }
        });
    });
})(jQuery);
</script>


  </head>
  <body>

    <div class="document">
  <div id="custom-doc" class="yui-t6">
    <div id="hd">
      <h1><a href="../index.html">Django 1.7.8.dev20150401230226 documentation</a></h1>
      <div id="global-nav">
        <a title="Home page" href="../index.html">Home</a>  |
        <a title="Table of contents" href="../contents.html">Table of contents</a>  |
        <a title="Global index" href="../genindex.html">Index</a>  |
        <a title="Module index" href="../py-modindex.html">Modules</a>
      </div>
      <div class="nav">
    &laquo; <a href="class-based-views/flattened-index.html" title="Class-based generic views - flattened index">previous</a>
     |
    <a href="index.html" title="API Reference" accesskey="U">up</a>
   |
    <a href="contrib/index.html" title="&lt;tt class=&#34;docutils literal&#34;&gt;&lt;span class=&#34;pre&#34;&gt;contrib&lt;/span&gt;&lt;/tt&gt; packages">next</a> &raquo;</div>
    </div>

    <div id="bd">
      <div id="yui-main">
        <div class="yui-b">
          <div class="yui-g" id="ref-clickjacking">
            
  <div class="section" id="s-module-django.middleware.clickjacking">
<span id="s-clickjacking-protection"></span><span id="module-django.middleware.clickjacking"></span><span id="clickjacking-protection"></span><h1>Clickjacking Protection<a class="headerlink" href="#module-django.middleware.clickjacking" title="Permalink to this headline">¶</a></h1>
<p>The clickjacking middleware and decorators provide easy-to-use protection
against <a class="reference external" href="http://en.wikipedia.org/wiki/Clickjacking">clickjacking</a>.  This type of attack occurs when a malicious site
tricks a user into clicking on a concealed element of another site which they
have loaded in a hidden frame or iframe.</p>
<div class="section" id="s-an-example-of-clickjacking">
<span id="an-example-of-clickjacking"></span><h2>An example of clickjacking<a class="headerlink" href="#an-example-of-clickjacking" title="Permalink to this headline">¶</a></h2>
<p>Suppose an online store has a page where a logged in user can click &#8220;Buy Now&#8221; to
purchase an item. A user has chosen to stay logged into the store all the time
for convenience. An attacker site might create an &#8220;I Like Ponies&#8221; button on one
of their own pages, and load the store&#8217;s page in a transparent iframe such that
the &#8220;Buy Now&#8221; button is invisibly overlaid on the &#8220;I Like Ponies&#8221; button. If the
user visits the attacker&#8217;s site, clicking &#8220;I Like Ponies&#8221; will cause an
inadvertent click on the &#8220;Buy Now&#8221; button and an unknowing purchase of the item.</p>
</div>
<div class="section" id="s-preventing-clickjacking">
<span id="s-clickjacking-prevention"></span><span id="preventing-clickjacking"></span><span id="clickjacking-prevention"></span><h2>Preventing clickjacking<a class="headerlink" href="#preventing-clickjacking" title="Permalink to this headline">¶</a></h2>
<p>Modern browsers honor the <a class="reference external" href="https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header">X-Frame-Options</a> HTTP header that indicates whether
or not a resource is allowed to load within a frame or iframe. If the response
contains the header with a value of <tt class="docutils literal"><span class="pre">SAMEORIGIN</span></tt> then the browser will only
load the resource in a frame if the request originated from the same site. If
the header is set to <tt class="docutils literal"><span class="pre">DENY</span></tt> then the browser will block the resource from
loading in a frame no matter which site made the request.</p>
<p>Django provides a few simple ways to include this header in responses from your
site:</p>
<ol class="arabic simple">
<li>A simple middleware that sets the header in all responses.</li>
<li>A set of view decorators that can be used to override the middleware or to
only set the header for certain views.</li>
</ol>
</div>
<div class="section" id="s-how-to-use-it">
<span id="how-to-use-it"></span><h2>How to use it<a class="headerlink" href="#how-to-use-it" title="Permalink to this headline">¶</a></h2>
<div class="section" id="s-setting-x-frame-options-for-all-responses">
<span id="setting-x-frame-options-for-all-responses"></span><h3>Setting X-Frame-Options for all responses<a class="headerlink" href="#setting-x-frame-options-for-all-responses" title="Permalink to this headline">¶</a></h3>
<p>To set the same <tt class="docutils literal"><span class="pre">X-Frame-Options</span></tt> value for all responses in your site, put
<tt class="docutils literal"><span class="pre">'django.middleware.clickjacking.XFrameOptionsMiddleware'</span></tt> to
<a class="reference internal" href="settings.html#std:setting-MIDDLEWARE_CLASSES"><tt class="xref std std-setting docutils literal"><span class="pre">MIDDLEWARE_CLASSES</span></tt></a>:</p>
<div class="highlight-python"><div class="highlight"><pre>MIDDLEWARE_CLASSES = (
    ...
    &#39;django.middleware.clickjacking.XFrameOptionsMiddleware&#39;,
    ...
)
</pre></div>
</div>
<div class="versionchanged">
<span class="title">Changed in Django 1.6:</span> <p>This middleware is enabled in the settings file generated by
<a class="reference internal" href="django-admin.html#django-admin-startproject"><tt class="xref std std-djadmin docutils literal"><span class="pre">startproject</span></tt></a>.</p>
</div>
<p>By default, the middleware will set the <tt class="docutils literal"><span class="pre">X-Frame-Options</span></tt> header to
<tt class="docutils literal"><span class="pre">SAMEORIGIN</span></tt> for every outgoing <tt class="docutils literal"><span class="pre">HttpResponse</span></tt>. If you want <tt class="docutils literal"><span class="pre">DENY</span></tt>
instead, set the <a class="reference internal" href="settings.html#std:setting-X_FRAME_OPTIONS"><tt class="xref std std-setting docutils literal"><span class="pre">X_FRAME_OPTIONS</span></tt></a> setting:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="n">X_FRAME_OPTIONS</span> <span class="o">=</span> <span class="s">&#39;DENY&#39;</span>
</pre></div>
</div>
<p>When using the middleware there may be some views where you do <strong>not</strong> want the
<tt class="docutils literal"><span class="pre">X-Frame-Options</span></tt> header set. For those cases, you can use a view decorator
that tells the middleware not to set the header:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="kn">from</span> <span class="nn">django.http</span> <span class="kn">import</span> <span class="n">HttpResponse</span>
<span class="kn">from</span> <span class="nn">django.views.decorators.clickjacking</span> <span class="kn">import</span> <span class="n">xframe_options_exempt</span>

<span class="nd">@xframe_options_exempt</span>
<span class="k">def</span> <span class="nf">ok_to_load_in_a_frame</span><span class="p">(</span><span class="n">request</span><span class="p">):</span>
    <span class="k">return</span> <span class="n">HttpResponse</span><span class="p">(</span><span class="s">&quot;This page is safe to load in a frame on any site.&quot;</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="s-setting-x-frame-options-per-view">
<span id="setting-x-frame-options-per-view"></span><h3>Setting X-Frame-Options per view<a class="headerlink" href="#setting-x-frame-options-per-view" title="Permalink to this headline">¶</a></h3>
<p>To set the <tt class="docutils literal"><span class="pre">X-Frame-Options</span></tt> header on a per view basis, Django provides these
decorators:</p>
<div class="highlight-python"><div class="highlight"><pre><span class="kn">from</span> <span class="nn">django.http</span> <span class="kn">import</span> <span class="n">HttpResponse</span>
<span class="kn">from</span> <span class="nn">django.views.decorators.clickjacking</span> <span class="kn">import</span> <span class="n">xframe_options_deny</span>
<span class="kn">from</span> <span class="nn">django.views.decorators.clickjacking</span> <span class="kn">import</span> <span class="n">xframe_options_sameorigin</span>

<span class="nd">@xframe_options_deny</span>
<span class="k">def</span> <span class="nf">view_one</span><span class="p">(</span><span class="n">request</span><span class="p">):</span>
    <span class="k">return</span> <span class="n">HttpResponse</span><span class="p">(</span><span class="s">&quot;I won&#39;t display in any frame!&quot;</span><span class="p">)</span>

<span class="nd">@xframe_options_sameorigin</span>
<span class="k">def</span> <span class="nf">view_two</span><span class="p">(</span><span class="n">request</span><span class="p">):</span>
    <span class="k">return</span> <span class="n">HttpResponse</span><span class="p">(</span><span class="s">&quot;Display in a frame if it&#39;s from the same origin as me.&quot;</span><span class="p">)</span>
</pre></div>
</div>
<p>Note that you can use the decorators in conjunction with the middleware. Use of
a decorator overrides the middleware.</p>
</div>
</div>
<div class="section" id="s-limitations">
<span id="limitations"></span><h2>Limitations<a class="headerlink" href="#limitations" title="Permalink to this headline">¶</a></h2>
<p>The <tt class="docutils literal"><span class="pre">X-Frame-Options</span></tt> header will only protect against clickjacking in a
modern browser. Older browsers will quietly ignore the header and need <a class="reference external" href="http://en.wikipedia.org/wiki/Clickjacking#Prevention">other
clickjacking prevention techniques</a>.</p>
<div class="section" id="s-browsers-that-support-x-frame-options">
<span id="browsers-that-support-x-frame-options"></span><h3>Browsers that support X-Frame-Options<a class="headerlink" href="#browsers-that-support-x-frame-options" title="Permalink to this headline">¶</a></h3>
<ul class="simple">
<li>Internet Explorer 8+</li>
<li>Firefox 3.6.9+</li>
<li>Opera 10.5+</li>
<li>Safari 4+</li>
<li>Chrome 4.1+</li>
</ul>
</div>
<div class="section" id="s-see-also">
<span id="see-also"></span><h3>See also<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h3>
<p>A <a class="reference external" href="https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header#Browser_compatibility">complete list</a> of browsers supporting <tt class="docutils literal"><span class="pre">X-Frame-Options</span></tt>.</p>
</div>
</div>
</div>


          </div>
        </div>
      </div>
      
        
          <div class="yui-b" id="sidebar">
            
      <div class="sphinxsidebar">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../contents.html">Table Of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Clickjacking Protection</a><ul>
<li><a class="reference internal" href="#an-example-of-clickjacking">An example of clickjacking</a></li>
<li><a class="reference internal" href="#preventing-clickjacking">Preventing clickjacking</a></li>
<li><a class="reference internal" href="#how-to-use-it">How to use it</a><ul>
<li><a class="reference internal" href="#setting-x-frame-options-for-all-responses">Setting X-Frame-Options for all responses</a></li>
<li><a class="reference internal" href="#setting-x-frame-options-per-view">Setting X-Frame-Options per view</a></li>
</ul>
</li>
<li><a class="reference internal" href="#limitations">Limitations</a><ul>
<li><a class="reference internal" href="#browsers-that-support-x-frame-options">Browsers that support X-Frame-Options</a></li>
<li><a class="reference internal" href="#see-also">See also</a></li>
</ul>
</li>
</ul>
</li>
</ul>

  <h3>Browse</h3>
  <ul>
    
      <li>Prev: <a href="class-based-views/flattened-index.html">Class-based generic views - flattened index</a></li>
    
    
      <li>Next: <a href="contrib/index.html"><tt class="docutils literal"><span class="pre">contrib</span></tt> packages</a></li>
    
  </ul>
  <h3>You are here:</h3>
  <ul>
      <li>
        <a href="../index.html">Django 1.7.8.dev20150401230226 documentation</a>
        
          <ul><li><a href="index.html">API Reference</a>
        
        <ul><li>Clickjacking Protection</li></ul>
        </li></ul>
      </li>
  </ul>

  <h3>This Page</h3>
  <ul class="this-page-menu">
    <li><a href="../_sources/ref/clickjacking.txt"
           rel="nofollow">Show Source</a></li>
  </ul>
<div id="searchbox" style="display: none">
  <h3>Quick search</h3>
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="Go" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    <p class="searchtip" style="font-size: 90%">
    Enter search terms or a module, class or function name.
    </p>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
              <h3>Last update:</h3>
              <p class="topless">Apr 02, 2015</p>
          </div>
        
      
    </div>

    <div id="ft">
      <div class="nav">
    &laquo; <a href="class-based-views/flattened-index.html" title="Class-based generic views - flattened index">previous</a>
     |
    <a href="index.html" title="API Reference" accesskey="U">up</a>
   |
    <a href="contrib/index.html" title="&lt;tt class=&#34;docutils literal&#34;&gt;&lt;span class=&#34;pre&#34;&gt;contrib&lt;/span&gt;&lt;/tt&gt; packages">next</a> &raquo;</div>
    </div>
  </div>

      <div class="clearer"></div>
    </div>
  </body>
</html>